Video Encoding Library Leaves Chrome, Firefox and More Open to Zero-Day Attack

/in


Google and Mozilla have patched the zero-day vulnerability, which originates in the libvpx library.

The words Zero Day interrupting a series of bunary zeros and ones.
Image: profit_image/Adobe Stock

Google and Mozilla have patched a zero-day exploit in Chrome and Firefox, respectively. The zero-day exploit was being used by a commercial spyware vendor. The zero-day exploit could leave users open to a heap buffer overflow, through which attackers could inject malicious code. Any software that uses VP8 encoding in libvpx or is based on Chromium (including Microsoft Edge) might be affected, not just Chrome or Firefox.

If you use Chrome, update to 117.0.5938.132 when it becomes available; Google Chrome says it may take “days/weeks” for all users to see the update. In Firefox, the exploit is patched in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox Focus for Android 118.1 and Firefox for Android 118.1.

Jump to:

This zero-day vulnerability originates in libvpx library

The zero-day exploit is technically a heap buffer overflow in VP8 encoding in libvpx, which is a video code library developed by Google and the Alliance for Open Media. It is widely used to encode or decode videos in the VP8 and VP9 video coding formats.

“Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process,” the Firefox team wrote in their security advisory.

From there, the vulnerability “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” said the official Common Vulnerabilities and Exposures site.

SEE: Attackers built a fake Bitwarden password manager site to deliver malware targeting Windows (TechRepublic)

The exploit is being tracked by Google as CVE-2023-5217. Clément Lecigne, a security researcher at Google’s Threat Analysis Group, found the flaw on September 25, leading to a patch on September 27.

“A commercial surveillance vendor” was actively using the exploit, researcher Maddie Stone of Google’s Threat Analysis Group noted on X.

There is not a lot more information available about the zero-day exploit at this time. “Google is aware that an exploit for CVE-2023-5217 exists in the wild,” the company wrote in the…

Source…